Add guardian approval MVP

[charley-oai]

Summary

• add the guardian reviewer flow for on-request approvals in command, patch, sandbox-retry, and managed-network approval paths
• keep guardian behind features.guardian_approval instead of exposing a public approval_policy = guardian mode
• route ordinary OnRequest approvals to the guardian subagent when the feature is enabled, without changing the public approval-mode surface

Public model

• public approval modes stay unchanged
• guardian is enabled via features.guardian_approval
• when that feature is on, approval_policy = on-request keeps the same approval boundaries but sends those approval requests to the guardian reviewer instead of the user
• /experimental only persists the feature flag; it does not rewrite approval_policy
• CLI and app-server no longer expose a separate guardian approval mode in this PR

Guardian reviewer

• the reviewer runs as a normal subagent and reuses the existing subagent/thread machinery
• it is locked to a read-only sandbox and approval_policy = never
• it does not inherit user/project exec-policy rules
• it prefers gpt-5.4 when the current provider exposes it, otherwise falls back to the parent turn's active model
• it fail-closes on timeout, startup failure, malformed output, or any other review error
• it currently auto-approves only when risk_score < 80

Review context and policy

• guardian mirrors OnRequest approval semantics rather than introducing a separate approval policy
• explicit require_escalated requests follow the same approval surface as OnRequest; the difference is only who reviews them
• managed-network allowlist misses that enter the approval flow are also reviewed by guardian
• the review prompt includes bounded recent transcript history plus recent tool call/result evidence
• transcript entries and planned-action strings are truncated with explicit <guardian_truncated ... /> markers so large payloads stay bounded
• apply-patch reviews include the full patch content (without duplicating the structured changes payload)
• the guardian request layout is snapshot-tested using the same model-visible Responses request formatter used elsewhere in core

Guardian network behavior

• the guardian subagent inherits the parent session's managed-network allowlist when one exists, so it can use the same approved network surface while reviewing
• exact session-scoped network approvals are copied into the guardian session with protocol/port scope preserved
• those copied approvals are now seeded before the guardian's first turn is submitted, so inherited approvals are available during any immediate review-time checks

Out of scope / follow-ups

• the sandbox-permission validation split was pulled into a separate PR and is not part of this diff
• a future follow-up can enable serde_json preserve-order in codex-core and then simplify the guardian action rendering further

[charley-oai]

@codex review this

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e4d044c3cf

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[charley-oai]

Rebased this branch on top of #13703. That precursor PR isolates the helper semantics so the guardian-specific behavior change can be reviewed separately.

[charley-oai]

Rebased this branch on top of #13703. That precursor PR isolates the SandboxPermissions helper semantics so the guardian-specific behavior change can be reviewed separately.

[charley-oai]

@codex review this

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1904fe78ec

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[charley-oai]

@codex review this

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5846ca060f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[charley-oai]

@codex review this

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7fdebc4f49

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[charley-oai]

@codex review this

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fd70f82592

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[charley-oai]

@codex review this

[chatgpt-codex-connector]

💡 Codex Review

codex/codex-rs/core/src/tools/orchestrator.rs

Lines 242 to 243 in 364c4dd

	matches!(approval_policy, AskForApproval::OnRequest)
	&& network_approval_context.is_some()

Allow guardian network retries after sandbox denial

allow_on_request_network_prompt only checks AskForApproval::OnRequest. In guardian mode, a sandbox-denied command with network_policy_decision is returned immediately instead of entering the approval/retry flow, so the guardian never reviews managed-network escalation. This breaks the stated "guardian mirrors OnRequest" behavior for blocked network access.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[dylan-hurd-oai]

Some non-blocking comments - overall this feels pretty reasonable. Excited to try it out!

[charley-oai]

@codex review this

[charley-oai]

@codex review this

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 125a5ea57c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".